I'm careful to use strong passwords (according to How Big is Your Haystack, my passwords would take a massive cracking array 1.5 million centuries to crack), I don't reuse passwords across sites, and I use two-factor authentication where it's available.

But typing in those passwords all the time is a real hassle, especially on a phone or tablet. A friend recently asked why I don't just use a relatively weak password for sites like Gmail where I have two-factor authentication enabled, and I didn't really have a good answer. Even if someone brute-forced my password, they'd still need to be in physical possession of my phone to get in.

So: Is it safe to weaken my Gmail password for my own convenience? Or is there a realistic scenario that I'm not taking into consideration?

Clarification: I'm not talking about using a trivial password (e.g. "a") - no site will let me do that anyway. I'm talking about going from a 16-character password with a search space on the order of 1030 to an 8-character password with a search space on the order of 1014.

Added the trust tag as when lowering password entropy one must trust the other factor significantly more than the password. IMO this is a trust issue. If you trust that only you have access to your phone at all time and is the only one to successfully authenticate to it (if it is protected), you may argue that the phone is a security mechanism much better than the password. However, if your password is 'A' and someone did actually get hold of your phone, you might think otherwise.
–
Henning KlevjerNov 11 '12 at 10:19

3

Side-note 1: If you ever enter the password on the same device you use for two-factor-auth, it degrades to one-factor-auth.
–
CodesInChaosNov 11 '12 at 10:34

1

Side-note 2: That website does not give you good estimates for password strength. It typically vastly overestimates the strength of a password. Read the notes at the bottom of the page.
–
CodesInChaosNov 11 '12 at 10:37

1

Somebody just needs to compromize a single device(Put a trojan on your device). So it's a single point of failure.
–
CodesInChaosNov 11 '12 at 16:31

11 Answers
11

Specifically for Google, if you use two-factor authentication it is safe to "weaken" your password "from a 16-character password with a search space on the order of 1030 to an 8-character password with a search space on the order of 1014" as long as you use a good 8-character password (i.e. completely random and not re-used across sites).

The strength of two-factor authentication lies in the assumption that the two factors require different kinds of attack and it is unlikely that a single attacker would perform both kinds of attacks on a single target. To answer your question we need to analyze what attacks are possible on weaker passwords compared to stronger passwords and how likely it is that someone who is able to attack weaker passwords but not longer passwords will attack the second authentication factor.

Now the security delta between "a 16-character password with a search space on the order of 1030" and "an 8-character password with a search space on the order of 1014" isn't as large as you may think - there aren't that many attacks that the weaker password is susceptible to but the stronger one isn't. Re-using passwords is dangerous regardless of the password length. The same is true for MITM, key loggers and most other common attacks on passwords.

The kind of attacks in which the password length is meaningful are dictionary attacks - i.e. attacks in which the attacker does an exhaustive search for your password in a dictionary. Trying all possible passwords in the login screen is obviously not feasible for a search space of 1014, but if an attacker obtains a hash of your password then it may be feasible to check this hash for a search space of 1014 but not for a search space of 1030.

Here is where the fact that you've specified Google in your question is important. Google are serious about password security and do what it takes to keep your hashed passwords secure. This includes protecting the servers on which the hashed passwords reside and using salt, pepper and key stretching to thwart a hacker who has somehow managed to get the hashed passwords.

If an attacker has succeeded in circumventing all the above, i.e. is able to obtain Google's database of salts and hashed passwords and is able to obtain the secret pepper and is able to do an exhaustive search with key stretching on a search space of 1014, then unless you're the director of the CIA that attacker won't be wasting any time on hacking your phone to bypass the second authentication factor - they will be too busy hacking the hundreds of millions of Gmail accounts that don't use two-factor authentication. Such a hacker isn't someone targeting you specifically - it's someone targeting the whole world.

If your data is so valuable that such a powerful hacker would target you specifically then you really shouldn't be putting your data in Gmail in the first place. For that matter you shouldn't be putting it on any computer that is connected to the Internet.

A weak password + two-factor authentication might still be safer than a strong password alone but it will be less safe than a strong password + two-factor authentication.

It all depends on how weak you go: if you go all the way and make the password trivial you effectively end up with one-factor authentication (the Google text message to your phone). But this might still be more safe than your original strong password.

First of all the fundamental concept of TFA:
- something the user knows (the password you are using)
- something the user has (in case of google this is your phone: they send you verification code on the phonenumber, you have provided)

First of you have to understand that judging by what you said:

But typing in those passwords all the time is a real hassle,
especially on a phone or tablet.

this means that a lot of time you are using gmail from your phone, so if I have stolen/or taken your phone for some time - your TFA became just OFA with your password. I will tell you even more, that in some countries if you have connections to people who are working in mobile companies and have appropriate access - they can just issue a person your phone number. Another thing is that the attacker can intercept the authentication process, by which I mean that an attacker can just take your phone right when you suppose to get a message.
After having this paranoiac I will start from another way

Just think for a little bit - TFA was used long time ago and used right now with millions of customers every day, with the space of 10000 (4 digits number). This is your bank card. How often was your card misused during your whole life? I assume not a lot. And I am pretty sure that most people would rather choose to get your money than to read your email.

Another point - google is not the worst company and they really make sure your data is secure (if someone prove them not - they will loose to their competitors who will make sure). So I am pretty sure they handle everything in a correct way and the point why they implemented TFA is to leverage low passwords.

This brings us to one of the most important issue in security: your security measures must be appropriate for the type of information you are trying to keep secret. Whenever I hear something like: "I use 40 digits password to access my weather forecast for tomorrow" my question is Why, I will use just 123 as a password? What will happen if I will get it - you will just create another account. So what is the point. Of course this is exaggeration.

But if you think that your correspondence is so important that someone will still your phone and will brute-force 16-characters to get it - most probably gmail is not good for you, as well as most probably that walking on the street without bodyguard as well.

I'd be willing to bet my next week's pay that if you add 2Factor and drop your password from 32 to 31 characters, you haven't dropped security by any appreciable margin. I'm not willing to make the same bet if you drop the length of the password to 2 characters. Where is teh boundary? How many characters is 2F worth? That's the question I want answered.

The relevant question is how much can you relax? How resilient are each of the migitations? How independent? Those are the money questions.

Well it's about personal preference. Gmail didn't introduce 2-step authentication, so that people can use weak passwords. It's there just as an added layer of security. Although there's very rare chance of getting into trouble with a weak password with 2 step verification. There're a list of backup codes and application-specific passwords, in case the user cant access their phone. But still I'd have used strong password, although not the one which takes millions of centuries to brute force, 20-30 years are enough for me. ;)

I'm asking a technical question, not a personal-preference question. What I'd like to hear is a plausible scenario where a weak password could get me into trouble in spite of 2SA.
–
Herb CaudillNov 10 '12 at 20:31

The vulnerability in these two-stage password schemes is the delivery channel, i.e. wireless providers, SMS routing networks, your phone. Any of those could be attacked to intercept the one-time password sent by Google.

But attacks against accounts are rarely strictly technical, and almost always involve gaming some human somewhere in the chain.

As good as Google's system is, Wired is running an article describing an attack that nullifies its protections entirely.

Attackers impersonated a wireless account holder to add a forwarding number to the account, then selected the 'call me' option to have the code delivered, instead of SMS. When Google called with the OTP, the call was forwarded to the attacker's phone and they gained access to the Google account.

This is interesting - I've bookmarked the Wired article to read - but is an answer to a different question. I wasn't really asking whether 2FA is invulnerable, but whether I can relax a bit about the crackability of my password if I'm using 2FA.
–
Herb CaudillNov 15 '12 at 17:14

It's definitely a question of trust as Henning points out, but there is one important factor to add:

If the two way authentication is based on a mobile tan, then that adds only an additional layer of security really if the site isn't accessed by the phone. Else even though it's two layers, it's really just one. Weakening one is hence not a good idea.

Gmail and Dropbox use OTP (one-time-password) as the second factor delivered to a mobile phone or calculated on a device that you own - 'what you have'. This is much more secure than a remembered password - 'what you know'.

As you point out, the only scenario is:
1. What you have - mobile phone or fob that generates or receives the OTP - is lost or stolen.
2. The weak password - what you know - is guessed or brute-forced in N attempts
3. The OTP generator and/or the login mechanism does not deny access before N attempts.

As an example, one of my clients has remote VPN access - with the logon id being the email (very easy to guess), and password that is composed of 4-digit PIN concatenated with a 6-digit OTP. If my phone with the OTP generator were to be stolen, the thief would need to guess the 4-digit PIN. If the remote access times out after 5 or 6 attempts, the math says that it would be pretty secure.

This mechanism would be exactly equivalent to a PIN on your phone that no one knows. If you are using Gmail for Apps or Exchange, you may want to enforce a PIN policy on your mobile phone, denying access to the OTP text message or generator.

Conclusion: weak password (at least 4 chars/digits) and OTP (two-factor token of 6 digis) would provide more protection against brute-force than just a strong password of 10 digits. However, this would not be effective in the condition that the weak password can be socially guessed by someone who can also have access to your mobile phone or FOB that is not protectd with a PIN. i.e. a malicious friend who knows your date of birth (weak password) and also has access to your unprotected mobile phone.

You could use Keepass instead, which has been ported to various mobile devices. Set it up so that you only have to enter a strong (or weaker, since the database is local) password once a while and have it auto-insert the strong passwords to e.g. gmail.

If your device happens to support USB-A keyboards, you could even consider using a Yubikey (nano) with a static password (or in its default OTP mode, e.g. linked to LastPass). Then your only inconvenience (and yet safety) would be pushing the small button on it.

edit Since the Yubikey NEO has NFC support, you can also use it on the respective phones. I found some instructions on using that with LastPass here